Found while fuzzing mozilla-central rev 5a8107262015 (2018-07-18). I don't currently have a testcase but will update this bug if/when one becomes available. ==25302==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004f14d0 at pc 0x7fc802199809 bp 0x7fc7e0c8b310 sp 0x7fc7e0c8b308 READ of size 8 at 0x6030004f14d0 thread T31 (PaintWorker #3) #0 0x7fc802199808 in _cairo_user_data_array_get_data src/gfx/cairo/cairo/src/cairo-array.c:455:15 #1 0x7fc8028f8257 in SkCreateTypefaceFromCairoFTFontWithFontconfig(_cairo_scaled_font*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:311:58 #2 0x7fc7f909eceb in mozilla::gfx::ScaledFontFontconfig::GetSkTypeface() src/gfx/2d/ScaledFontFontconfig.cpp:49:17 #3 0x7fc7f9012dd1 in mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:1389:36 #4 0x7fc7f918af81 in mozilla::gfx::FillGlyphsCommand::ExecuteOnDT(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const*) const src/gfx/2d/DrawCommands.h:632:10 #5 0x7fc7f90c2f21 in mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTargetCapture.cpp:351:10 #6 0x7fc7f90c2cd9 in mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTarget.cpp:187:52 #7 0x7fc7f95b4236 in Paint src/gfx/layers/PaintThread.cpp:126:12 #8 0x7fc7f95b4236 in mozilla::layers::PaintThread::AsyncPaintTiledContents(mozilla::layers::CompositorBridgeChild*, mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:457 #9 0x7fc7f9609b0a in mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*)::$_9>::Run() src/gfx/layers/PaintThread.cpp:437:11 #10 0x7fc7f6711182 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:231:14 #11 0x7fc7f6711e24 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp #12 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14 #13 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #14 0x7fc7f78d41df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #15 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #16 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #17 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #18 0x7fc7f66fcf61 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:423:11 #19 0x7fc817790dc8 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #20 0x7fc81ad8a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #21 0x7fc819e1341c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x6030004f14d0 is located 0 bytes inside of 24-byte region [0x6030004f14d0,0x6030004f14e8) freed by thread T29 (PaintWorker #1) here: #0 0x4c5442 in realloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3 #1 0x7fc8021989b0 in _cairo_array_grow_by src/gfx/cairo/cairo/src/cairo-array.c:159:20 #2 0x7fc802199af7 in _cairo_array_allocate src/gfx/cairo/cairo/src/cairo-array.c:335:14 #3 0x7fc802199af7 in _cairo_array_append_multiple src/gfx/cairo/cairo/src/cairo-array.c:301 #4 0x7fc802199af7 in _cairo_array_append src/gfx/cairo/cairo/src/cairo-array.c:276 #5 0x7fc802199af7 in _cairo_user_data_array_set_data src/gfx/cairo/cairo/src/cairo-array.c:521 #6 0x7fc8028f847e in SkCairoFTTypeface src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:282:9 #7 0x7fc8028f847e in SkCairoFTTypeface::CreateTypeface(_cairo_font_face*, FT_FaceRec_*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:188 #8 0x7fc8028f8298 in SkCreateTypefaceFromCairoFTFontWithFontconfig(_cairo_scaled_font*, _FcPattern*) src/gfx/skia/skia/src/ports/SkFontHost_cairo.cpp:317:24 #9 0x7fc7f909eceb in mozilla::gfx::ScaledFontFontconfig::GetSkTypeface() src/gfx/2d/ScaledFontFontconfig.cpp:49:17 #10 0x7fc7f9012dd1 in mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&) src/gfx/2d/DrawTargetSkia.cpp:1389:36 #11 0x7fc7f918af81 in mozilla::gfx::FillGlyphsCommand::ExecuteOnDT(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const*) const src/gfx/2d/DrawCommands.h:632:10 #12 0x7fc7f90c2f21 in mozilla::gfx::DrawTargetCaptureImpl::ReplayToDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTargetCapture.cpp:351:10 #13 0x7fc7f90c2cd9 in mozilla::gfx::DrawTarget::DrawCapturedDT(mozilla::gfx::DrawTargetCapture*, mozilla::gfx::BaseMatrix<float> const&) src/gfx/2d/DrawTarget.cpp:187:52 #14 0x7fc7f95b4236 in Paint src/gfx/layers/PaintThread.cpp:126:12 #15 0x7fc7f95b4236 in mozilla::layers::PaintThread::AsyncPaintTiledContents(mozilla::layers::CompositorBridgeChild*, mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:457 #16 0x7fc7f9609b0a in mozilla::detail::RunnableFunction<mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*)::$_9>::Run() src/gfx/layers/PaintThread.cpp:437:11 #17 0x7fc7f6711182 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:231:14 #18 0x7fc7f6711e24 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp #19 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14 #20 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #21 0x7fc7f78d41df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #22 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #23 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #24 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #25 0x7fc7f66fcf61 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:423:11 #26 0x7fc817790dc8 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #27 0x7fc81ad8a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) previously allocated by thread T0 (file:// Content) here: #0 0x4c5442 in realloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3 #1 0x7fc8021989b0 in _cairo_array_grow_by src/gfx/cairo/cairo/src/cairo-array.c:159:20 #2 0x7fc802199af7 in _cairo_array_allocate src/gfx/cairo/cairo/src/cairo-array.c:335:14 #3 0x7fc802199af7 in _cairo_array_append_multiple src/gfx/cairo/cairo/src/cairo-array.c:301 #4 0x7fc802199af7 in _cairo_array_append src/gfx/cairo/cairo/src/cairo-array.c:276 #5 0x7fc802199af7 in _cairo_user_data_array_set_data src/gfx/cairo/cairo/src/cairo-array.c:521 #6 0x7fc7f9b83e14 in gfxFT2FontBase::GetGlyph(unsigned int) src/gfx/thebes/gfxFT2FontBase.cpp:85:13 #7 0x7fc7f9b82617 in GetCharWidth src/gfx/thebes/gfxFT2FontBase.cpp:175:19 #8 0x7fc7f9b82617 in gfxFT2FontBase::InitMetrics() src/gfx/thebes/gfxFT2FontBase.cpp:405 #9 0x7fc7f9b80f9e in gfxFT2FontBase::gfxFT2FontBase(RefPtr<mozilla::gfx::UnscaledFontFreeType> const&, _cairo_scaled_font*, gfxFontEntry*, gfxFontStyle const*) src/gfx/thebes/gfxFT2FontBase.cpp:37:5 #10 0x7fc7f9b9040d in gfxFontconfigFont src/gfx/thebes/gfxFcPlatformFontList.cpp:1447:7 #11 0x7fc7f9b9040d in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) src/gfx/thebes/gfxFcPlatformFontList.cpp:1064 #12 0x7fc7f9d0cebd in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) src/gfx/thebes/gfxFontEntry.cpp:258:28 #13 0x7fc7f9da5fb5 in gfxFontGroup::GetFontAt(int, unsigned int) src/gfx/thebes/gfxTextRun.cpp:1950:20 #14 0x7fc7f9da8f04 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::FontFamilyType*) src/gfx/thebes/gfxTextRun.cpp:2133:16 #15 0x7fc7f92b1e1d in nsFontMetrics::GetMetrics(gfxFont::Orientation) const src/gfx/src/nsFontMetrics.cpp:169:24 #16 0x7fc7f92b2830 in GetMetrics src/gfx/src/nsFontMetrics.h:244:14 #17 0x7fc7f92b2830 in nsFontMetrics::ExternalLeading() src/gfx/src/nsFontMetrics.cpp:240 #18 0x7fc800b99d3a in GetNormalLineHeight src/layout/generic/ReflowInput.cpp:2805:43 #19 0x7fc800b99d3a in ComputeLineHeight src/layout/generic/ReflowInput.cpp:2862 #20 0x7fc800b99d3a in mozilla::ReflowInput::CalcLineHeight(nsIContent*, mozilla::ComputedStyle*, nsPresContext*, int, float) src/layout/generic/ReflowInput.cpp:2889 #21 0x7fc800b6540c in CalcLineHeight src/layout/generic/ReflowInput.cpp:2872:10 #22 0x7fc800b6540c in mozilla::BlockReflowInput::BlockReflowInput(mozilla::ReflowInput const&, nsPresContext*, nsBlockFrame*, bool, bool, bool, int) src/layout/generic/BlockReflowInput.cpp:142 #23 0x7fc800bf3292 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1186:20 #24 0x7fc800c7303b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14 #25 0x7fc800c70927 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:792:5 #26 0x7fc800c7303b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14 #27 0x7fc800da591b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:580:3 #28 0x7fc800da7484 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:703:3 #29 0x7fc800dac67b in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1080:3 #30 0x7fc800bceb98 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14 #31 0x7fc800bcd454 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:330:7 #32 0x7fc800929ccc in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8993:11 #33 0x7fc8009447b8 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9166:24 #34 0x7fc800942985 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4340:11 #35 0x7fc7fdd9eb59 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:566:5 #36 0x7fc7fdd9eb59 in FlushPendingEvents src/dom/events/EventStateManager.cpp:5515 #37 0x7fc7fdd9eb59 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:690 #38 0x7fc80097467b in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7619:19 #39 0x7fc80096f42a in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:7264:17 #40 0x7fc800109641 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14 Thread T31 (PaintWorker #3) created by T0 (file:// Content) here: #0 0x4ae0cd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fc81778db05 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7fc81778d6ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7fc7f66ffe63 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:597:8 #4 0x7fc7f670b229 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:471:22 #5 0x7fc7f670f94a in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7fc7f670f94a in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:109 #7 0x7fc7f6712076 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:280:5 #8 0x7fc7f95b3a08 in mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:441:18 #9 0x7fc7f994f43e in mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:242:31 #10 0x7fc7f994c3ce in mozilla::layers::ClientMultiTiledLayerBuffer::PaintThebes(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:129:3 #11 0x7fc7f99299d8 in mozilla::layers::ClientTiledPaintedLayer::RenderHighPrecision(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/client/ClientTiledPaintedLayer.cpp:354:37 #12 0x7fc7f99307f3 in mozilla::layers::ClientTiledPaintedLayer::RenderLayer() src/gfx/layers/client/ClientTiledPaintedLayer.cpp:556:31 #13 0x7fc7f9976b5c in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #14 0x7fc7f99146f3 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:375:13 #15 0x7fc7f9915836 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:433:3 #16 0x7fc80154e176 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2757:19 #17 0x7fc800ab8266 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12 #18 0x7fc80096277d in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6320:5 #19 0x7fc80010ec07 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #20 0x7fc80010da3c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #21 0x7fc800113046 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #22 0x7fc8008b858b in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2042:11 #23 0x7fc8008c8762 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13 #24 0x7fc8008c8762 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299 #25 0x7fc8008c8291 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5 #26 0x7fc8008cb8b1 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5 #27 0x7fc8008cb8b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671 #28 0x7fc8008cb38b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9 #29 0x7fc8013734f6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #30 0x7fc7f82bbd9d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #31 0x7fc7f8085330 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28 #32 0x7fc7f78c885e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25 #33 0x7fc7f78c418e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17 #34 0x7fc7f78c65ed in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5 #35 0x7fc7f78c7347 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15 #36 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14 #37 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #38 0x7fc7f78d2b4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #39 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #40 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #41 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #42 0x7fc8001f74a6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #43 0x7fc8044f497e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:921:22 #44 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #45 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #46 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #47 0x7fc8044f3b3c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:747:34 #48 0x4f5511 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #49 0x4f5511 in main src/browser/app/nsBrowserApp.cpp:287 #50 0x7fc819d2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 Thread T29 (PaintWorker #1) created by T0 (file:// Content) here: #0 0x4ae0cd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fc81778db05 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7fc81778d6ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7fc7f66ffe63 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:597:8 #4 0x7fc7f670b229 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:471:22 #5 0x7fc7f670f94a in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7fc7f670f94a in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:109 #7 0x7fc7f6712076 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:280:5 #8 0x7fc7f95b3a08 in mozilla::layers::PaintThread::PaintTiledContents(mozilla::layers::CapturedTiledPaintState*) src/gfx/layers/PaintThread.cpp:441:18 #9 0x7fc7f994f43e in mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:242:31 #10 0x7fc7f994c3ce in mozilla::layers::ClientMultiTiledLayerBuffer::PaintThebes(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::TilePaintFlags) src/gfx/layers/client/MultiTiledContentClient.cpp:129:3 #11 0x7fc7f99299d8 in mozilla::layers::ClientTiledPaintedLayer::RenderHighPrecision(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/client/ClientTiledPaintedLayer.cpp:354:37 #12 0x7fc7f99307f3 in mozilla::layers::ClientTiledPaintedLayer::RenderLayer() src/gfx/layers/client/ClientTiledPaintedLayer.cpp:556:31 #13 0x7fc7f9976b5c in mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29 #14 0x7fc7f99146f3 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:375:13 #15 0x7fc7f9915836 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:433:3 #16 0x7fc80154e176 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2757:19 #17 0x7fc800ab8266 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12 #18 0x7fc80096277d in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6320:5 #19 0x7fc80010ec07 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #20 0x7fc80010da3c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #21 0x7fc800113046 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #22 0x7fc8008b858b in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2042:11 #23 0x7fc8008c8762 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13 #24 0x7fc8008c8762 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299 #25 0x7fc8008c8291 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:317:5 #26 0x7fc8008cb8b1 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5 #27 0x7fc8008cb8b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671 #28 0x7fc8008cb38b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:571:9 #29 0x7fc8013734f6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #30 0x7fc7f82bbd9d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #31 0x7fc7f8085330 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28 #32 0x7fc7f78c885e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25 #33 0x7fc7f78c418e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17 #34 0x7fc7f78c65ed in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5 #35 0x7fc7f78c7347 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15 #36 0x7fc7f6703f38 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14 #37 0x7fc7f670c755 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #38 0x7fc7f78d2b4e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #39 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #40 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #41 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #42 0x7fc8001f74a6 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #43 0x7fc8044f497e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:921:22 #44 0x7fc7f77d829c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #45 0x7fc7f77d829c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #46 0x7fc7f77d829c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #47 0x7fc8044f3b3c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:747:34 #48 0x4f5511 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #49 0x4f5511 in main src/browser/app/nsBrowserApp.cpp:287 #50 0x7fc819d2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free src/gfx/cairo/cairo/src/cairo-array.c:455:15 in _cairo_user_data_array_get_data Shadow bytes around the buggy address: 0x0c0680096240: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c0680096250: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c0680096260: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c0680096270: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c0680096280: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00 =>0x0c0680096290: 00 00 fa fa 00 00 00 fa fa fa[fd]fd fd fa fa fa 0x0c06800962a0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c06800962b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd 0x0c06800962c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa 0x0c06800962d0: 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd fd fd 0x0c06800962e0: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==25302==ABORTING

This may be a Skia font problem rather than a cairo one. Maybe a race? It was freed and accessed on different threads. Jonathan: please move the bug and CC other folks if this isn't yours

It looks like CreateTypeface -> SkCairoFTTypeface mutates the cairo_font_face_t (appending to an array and resizing it), so if that was shared across multiple threads it'd produce this behavior.

I'm not all that familiar with the Skia world; this feels more like Lee's area. Redirecting needinfo....

I think this is fixed by bug 1478084.

Jason, can you still reproduce this?

(In reply to Jeff Muizelaar [:jrmuizel] from comment #6) > Jason, can you still reproduce this? I don't have a testcase to verify but I also haven't seen this crash since July 27th.